--- title: Add a user to your InfluxDB cluster description: Add a user with administrative access to your InfluxDB cluster through your identity provider and your InfluxDB AppInstance resource. url: https://docs.influxdata.com/influxdb3/clustered/admin/users/add/ estimated_tokens: 2296 publisher: InfluxData canonical: https://docs.influxdata.com/influxdb3/clustered/admin/users/add/ date: '2026-04-08T09:19:14-06:00' lastmod: '2026-04-08T09:19:14-06:00' --- Add a user with administrative access to your InfluxDB cluster through your[identity provider](/influxdb3/clustered/install/secure-cluster/auth/) and your InfluxDB`AppInstance` resource: 1. Use your identity provider to create an OAuth2 account for the user that needs administrative access to your InfluxDB cluster. **Refer to your identity provider’s documentation for information about adding users:** * [Keycloak: Creating users ](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-user_server_administration_guide) * [Microsoft Entra ID: How to create, invite, and delete users ](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users) * [Auth0: Team member management ](https://auth0.com/docs/get-started/auth0-teams/team-member-management) 2. Add the user to your InfluxDB `AppInstance` resource. You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`, or, if you’re using the[InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered), you can add users to your `values.yaml` to modify your `AppInstance`resource. Required credentials depend on your identity provider. #### AppInstance #### If editing your `AppInstance` resource directly, provide values for the following fields in your `myinfluxdb.yml` configuration file: * `spec.package.spec.admin` * `identityProvider`: Identity provider name.*If using Microsoft Entra ID (formerly Azure Active Directory), set the name to `azure`*. * `jwksEndpoint`: JWKS endpoint provide by your identity provider. * `users`: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider. Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but other OAuth2 providers should work as well: #### Keycloak #### ``` apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: keycloak jwksEndpoint: |- https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id: KEYCLOAK_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `KEYCLOAK_HOST`: Host and port of your Keycloak server * `KEYCLOAK_REALM`: Keycloak realm * `KEYCLOAK_USER_ID`: Keycloak user ID to grant InfluxDB administrative access to*(See [Find user IDs with Keycloak](/influxdb3/clustered/install/secure-cluster/auth/#find-user-ids-with-keycloak))* ``` apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: auth0 jwksEndpoint: |- https://AUTH0_HOST/.well-known/openid-configuration users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id: AUTH0_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `AUTH0_HOST`: Host and port of your Auth0 server * `AUTH0_USER_ID`: Auth0 user ID to grant InfluxDB administrative access to ``` apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: azure jwksEndpoint: |- https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id: AZURE_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `AZURE_TENANT_ID`: Microsoft Entra tenant ID * `AZURE_USER_ID`: Microsoft Entra user ID to grant InfluxDB administrative access to*(See [Find user IDs with Microsoft Entra ID](/influxdb3/clustered/install/secure-cluster/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))* If using the InfluxDB Clustered Helm chart, provide values for the following fields in your `values.yaml`: * `admin` * `identityProvider`: Identity provider name.*If using Microsoft Entra ID (formerly Azure Active Directory), set the name to `azure`*. * `jwksEndpoint`: JWKS endpoint provide by your identity provider. * `users`: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider. Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but other OAuth2 providers should work as well: #### Keycloak #### ``` admin: # The identity provider to be used (such as "keycloak", "auth0", or "azure") # Note, use "azure" for Azure Active Directory identityProvider: keycloak # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id: KEYCLOAK_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `KEYCLOAK_HOST`: Host and port of your Keycloak server * `KEYCLOAK_REALM`: Keycloak realm * `KEYCLOAK_USER_ID`: Keycloak user ID to grant InfluxDB administrative access to ``` admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: auth0 # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://AUTH0_HOST/.well-known/openid-configuration # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id: AUTH0_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `AUTH0_HOST`: Host and port of your Auth0 server * `AUTH0_USER_ID`: Auth0 user ID to grant InfluxDB administrative access to ``` admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: azure # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id: AZURE_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: * `AZURE_TENANT_ID`: Microsoft Entra tenant ID * `AZURE_USER_ID`: Microsoft Entra user ID to grant InfluxDB administrative access to*(See [Find user IDs with Microsoft Entra ID](/influxdb3/clustered/install/secure-cluster/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))* 3. Apply the change to your InfluxDB cluster. * If updating the `AppInstance` resource directly, use `kubectl` to apply the change. * If using the InfluxDB Clustered Helm chart, use `helm` to apply the change. #### kubectl #### ```bash kubectl apply \ --filename myinfluxdb.yml \ --namespace influxdb ``` ```bash helm upgrade \ influxdb \ influxdata/influxdb3-clustered \ -f ./values.yaml \ --namespace influxdb ``` Once applied, the added user is granted administrative access to your InfluxDB cluster and can use `influxctl` to perform administrative actions. See [Set up Authorization–Configure influxctl](/influxdb3/clustered/install/secure-cluster/auth/#configure-influxctl)for information about configuring the new user’s `influxctl` client to communicate and authenticate with your InfluxDB cluster’s identity provider. #### Related * [Set up administrative authentication](/influxdb3/clustered/install/secure-cluster/auth/) * [Configure your InfluxDB cluster](/influxdb3/clustered/install/set-up-cluster/configure-cluster/)